Forward-port ppc64le image creation (with nerfed signing)

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2022-11-21 19:58:18 +00:00
parent 3972172d4d
commit 06e51d2a65
2 changed files with 106 additions and 28 deletions

View file

@ -77,6 +77,7 @@
%global emuarch %{_arch}
%global grubefiarch %{nil}
%global grublegacyarch %{nil}
%global grubelfname %{nil}
# sparc is always compiled 64 bit
%ifarch %{sparc}
@ -116,11 +117,20 @@
%{!?with_efi_only:%global without_efi_only 0}
%{?with_efi_only:%global without_efi_only 1}
### fixme
%ifarch %{efi_arch}
%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap connectefi "
%endif
%ifarch x86_64 %{ix86}
%global platform_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
%endif
%ifarch ppc64le
%global platform_modules " appendedsig tpm ofnet "
%endif
%ifarch aarch64 %{arm} riscv64
%global efi_modules " "
%else
%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard connectefi "
%global platform_modules " "
%endif
%ifarch aarch64 %{arm} riscv64
@ -220,6 +230,7 @@
%global with_legacy_arch 1
%global grublegacyarch %{legacy_target_cpu_name}-%{platform}
%global moduledir %{legacy_target_cpu_name}-%{platform}
%global grubelfname core.elf
%endif
%global evr %{epoch}:%{version}-%{release}
@ -380,14 +391,31 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
rm -f %{1}.conf \
%{nil}
%global grub_modules " all_video boot blscfg btrfs \\\
cat configfile cryptodisk \\\
echo ext2 f2fs fat font \\\
gcry_rijndael gcry_rsa gcry_serpent \\\
gcry_sha256 gcry_twofish gcry_whirlpool \\\
gfxmenu gfxterm gzio \\\
halt hfsplus http increment iso9660 \\\
jpeg loadenv loopback linux lvm luks \\\
luks2 mdraid09 mdraid1x minicmd net \\\
normal part_apple part_msdos part_gpt \\\
password_pbkdf2 pgp png reboot regexp \\\
search search_fs_uuid search_fs_file \\\
search_label serial sleep syslinuxcfg \\\
test tftp version video xfs zstd " \
%ifarch x86_64 aarch64 %{arm} riscv64
%define mkimage() \
%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\
--sbat %{4}./sbat.csv \
-p /EFI/%{efi_vendor} -d grub-core \\\
--sbat %{4}./sbat.csv \\\
${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\
--sbat %{4}./sbat.csv \
-p /EFI/BOOT -d grub-core \\\
--sbat %{4}./sbat.csv \\\
${GRUB_MODULES} \
%{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
%{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
@ -397,31 +425,65 @@ rm -f %{1}.conf \
%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \
%{nil}
%else
%define mkimage() \
%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2} \\\
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \
-p /EFI/%{efi_vendor} -d grub-core \\\
${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3} \\\
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
-p /EFI/BOOT -d grub-core \\\
${GRUB_MODULES} \
%{nil}
%endif
%ifarch ppc64le
%if 0%{?rhel}
%define ieee1275_mkimage() \
APPENDED_SIG_SIZE=0 \
if [ -x /usr/bin/rpm-sign ]; then \
touch empty.unsigned \
rpm-sign --key %{4} \\\
--lkmsign empty.unsigned \\\
--output empty.signed \
APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \
rm empty.{un,}signed \
fi \
# FIXME: using this prefix is fragile, must be done properly \
./grub-mkimage -O %{1} -o %{2}.orig \\\
-p '/grub2' -d grub-core \\\
-x %{3} \\\
--appended-signature-size ${APPENDED_SIG_SIZE} \\\
${GRUB_MODULES} \
if [ -x /usr/bin/rpm-sign ]; then \
truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \
rpm-sign --key %{4} \\\
--lkmsign %{2}.orig \\\
--output %{2} \
else \
mv %{2}.orig %{2} \
fi \
%{nil}
%else
# Fedora et al.
%define ieee1275_mkimage() \
./grub-mkimage -O %{1} -o %{2}.orig -p '/grub2' -d grub-core ${GRUB_MODULES} \
mv %{2}.orig %{2}
%{nil}
%endif
%endif
%define do_efi_build_images() \
GRUB_MODULES=" all_video boot blscfg btrfs \\\
cat configfile cryptodisk \\\
echo efi_netfs efifwsetup efinet ext2 f2fs \\\
fat font gcry_rijndael gcry_rsa gcry_serpent \\\
gcry_sha256 gcry_twofish gcry_whirlpool \\\
gfxmenu gfxterm gzio \\\
halt hfsplus http increment iso9660 jpeg \\\
loadenv loopback linux lvm lsefi lsefimmap luks \\\
luks2 mdraid09 mdraid1x minicmd net \\\
normal part_apple part_msdos part_gpt \\\
password_pbkdf2 pgp png read reboot \\\
regexp search search_fs_uuid search_fs_file \\\
search_label serial sleep syslinuxcfg test tftp \\\
version video xfs zstd " \
GRUB_MODULES+=%{grub_modules} \
GRUB_MODULES+=%{efi_modules} \
%{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \
GRUB_MODULES+=%{platform_modules} \
%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4}}} \
%{nil}
%define do_ieee1275_build_images() \
GRUB_MODULES+=%{grub_modules} \
GRUB_MODULES+=%{platform_modules} \
cd grub-%{1}-%{tarversion} \
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}} \
cd .. \
%{nil}
%define do_primary_efi_build() \
@ -536,6 +598,9 @@ fi \
if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \
rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \
fi \
%{expand:%ifarch ppc64le \
install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \
%endif} \
if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp ]; then \
mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp \\\
$RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub.chrp \
@ -595,12 +660,19 @@ ln -s ../boot/grub2/grub.cfg \\\
%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
%ifarch ppc64le \
%dir %{_libdir}/grub/%{2}/ \
%{_libdir}/grub/%{2}/%{grubelfname} \
%endif \
\
%{expand:%if 0%{?with_legacy_modules} \
%{expand:%%files %{1}-modules} \
%defattr(-,root,root) \
%dir %{_libdir}/grub/%{2}/ \
%{_libdir}/grub/%{2}/* \
%ifarch ppc64le \
%exclude %{_libdir}/grub/%{2}/%{grubelfname} \
%endif \
%exclude %{_libdir}/grub/%{2}/*.module \
%exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \
%exclude %{_libdir}/grub/%{2}/*.o \

View file

@ -17,7 +17,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 63%{?dist}
Release: 64%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -210,6 +210,9 @@ git commit -m "After making subdirs"
%if 0%{with_emu_arch}
%{expand:%do_emu_build}
%endif
%ifarch ppc64le
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}}
%endif
makeinfo --info --no-split -I docs -o docs/grub-dev.info \
docs/grub-dev.texi
makeinfo --info --no-split -I docs -o docs/grub.info \
@ -529,6 +532,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Mon Nov 21 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.06-64
- Forward-port ppc64le image creation (with nerfed signing)
* Tue Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.06-63
- Font fixes (CVE-2022-2601 batch)